SC-08 Transmission Confidentiality and Integrity

Baselines

Guidance

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

References 8

• FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
• FIPS 197 National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197.
• SP 800-52 McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2.
• SP 800-77 Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1.
• SP 800-81-2 Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2.
• SP 800-113 Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113.
• SP 800-177 Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1.
• IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.

Control Enhancements 5

• SC-08(01) Cryptographic Protection L M H P
• SC-08(02) Pre- and Post-transmission Handling L M H P
• SC-08(03) Cryptographic Protection for Message Externals L M H P
• SC-08(04) Conceal or Randomize Communications L M H P
• SC-08(05) Protected Distribution System L M H P

Related controls 15

• AC-17 Remote Access L M H P
• AC-18 Wireless Access L M H P
• AU-10 Non-repudiation L M H P
• IA-03 Device Identification and Authentication L M H P
• IA-08 Identification and Authentication (Non-organizational Users) L M H P
• IA-09 Service Identification and Authentication L M H P
• MA-04 Nonlocal Maintenance L M H P
• PE-04 Access Control for Transmission L M H P
• SA-04 Acquisition Process L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SC-07 Boundary Protection L M H P
• SC-16 Transmission of Security and Privacy Attributes L M H P
• SC-20 Secure Name/Address Resolution Service (Authoritative Source) L M H P
• SC-23 Session Authenticity L M H P
• SC-28 Protection of Information at Rest L M H P